Information

This article provides detailed information about the impact of the below three mentioned side-channel attacks on Pulse Secure Products.

CVE-2017-5753 (Bounds Check bypass, AKA Spectre)

CVE-2017-5715 (Branch Target Injection, AKA Spectre)

CVE-2017-5754 (Meltdown)

Problem or Goal

Cause

Solution

The PSA series, MAG Series, Secure Access X500 series and Infranet Controller X500 series models that host Pulse Connect Secure, Pulse Policy Secure and Pulse One Appliance (on-prem) solutions are not Vulnerable. This issue can only be exploited by software that has local access and the above mentioned products are designed to only allow trusted software provided by Pulse Secure to run on these platforms which effectively mitigates any risk of Side-Channel analysis from these attacks

Pulse Secure Virtual Appliances (SPE) may be impacted by this issue depending on the version of the hypervisor i.e. ESXi, KVM, or Hyper-V that hosts the Pulse Secure Virtual Appliance instance. Please check with the respective hypervisor vendor for their recommendations on how to mitigate any risks from these issues

Pulse One Cloud solution and Pulse Workspace solution: Both of these cloud-based solutions are not vulnerable to these CVEs

vADC (vTM, Services Director, vWAF) Software Installation: May be impacted by this issue only if executing on a platform vulnerable to these side-channel attacks (e.g. operating system).

vADC (Services Director) Virtual Appliances: May be impacted by this issue only if executing on a platform vulnerable to these side-channel attacks (e.g. hypervisor).

vADC (vTM, vWAF) Virtual Appliances and Bare-Metal: Vulnerable. In addition may be impacted, if executing on a platform vulnerable to these side-channel attacks (e.g. hypervisor). We are currently assessing mitigation options not limited to a fix which is awaiting the delivery of patches from the 3rd party OS vendor. Please refer https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown for additional information on the delivery of the patches from the 3rd party OS vendor.

Related Issue:

Pulse Desktop Windows Client: After installing Microsoft Patch KB4056892, end-users that use Pulse Client to initiate the connection may not be able to connect to the PCS/PPS gateway due to Host Checker failures. Please refer to KB43600 for more details and the latest updates on this issue.